DIGITAL FORENSIC ANALYSIS METHODOLOGY

Last Updated: August 22, 2007

LISTS
Search Leads

PROCESS OVERVIEW
OBTAINING & IMAGING FORENSIC DATA FORENSIC REQUEST PREPARATION / EXTRACTION
1 2 3

Data Search Leads

Comments/Notes/Messages

IDENTIFICATION

ANALYSIS

FORENSIC REPORTING

CASELEVEL ANALYSIS

Generally this involves opening a case file in the tool of choice and importing forensic Use this section as image file. This could also include recreating needed. a network environment or database to mimic the original environment. Sample Note: Please notify case agent Sample Data Search Leads: when forensic data Identify and extract all email and deleted preparation is items. completed. Search media for evidence of child pornography. Configure and load seized database for data mining. Recover all deleted files and index drive for review by case agent/forensic examiner.

Extracted Data
Prepared / Extracted Data Comments/Notes/Messages Prepared / Extracted Data List is a list of Use this section as needed. items that are prepared or extracted to allow identification of Data pertaining to the Sample Message: forensic request. Numerous files located in c:\movies directory Sample Prepared / Extracted Data items: have .avi extensions but are actually Excel Processed hard drive image using Encase spreadsheets. or FTK to allow a case agent to triage the contents. Exported registry files and installed registry viewer to allow a forensic examiner to examine registry entries. A seized database files is loaded on a database server ready for data mining.

PREPARATION / EXTRACTION

IDENTIFICATION

ANALYSIS

Start Wait for resolution.

Start Is there Unprocessed data in the Prepared/Extracted Data List? Yes What type of item is it. Document this item and all relevant meta data and attributes on Relevant Data List.

3
No

Start Is there data for analysis/more data analysis needed? Yes

No

Does request contain sufficient information to start this process?

No

Coordinate with Requester to Determine next step.

Relevant Data Who/What

Who or what application created, edited, modified, sent, received, or caused the file to be? Who is this item linked to and identified with?
Relevant Data Relevant Data List is a list of data that is relevant to the forensic request. For example: Comments/Notes/Messages Use this section as needed. Sample Note: Attachment in Outlook.pst>message05 has a virus in it. Make sure an anti-virus software is installed before exporting and opening it. Identified and recovered 12 emails detailing plan to commit crime.

Yes. Setup and validate forensic hardware and software; create system configuration as needed. Integrity not OK

Data relevant to the forensic request

Return package to Requester.

Where
Where was it found? Where did it come from? Does it show where relevant events took place?

Duplicate and verify integrity of Forensic Data? Integrity OK Organize / Refine forensic request and select forensic tools.

Incriminating Information outside scope of the warrant

If item can generate new Data Search Leads, document new leads to Data Search Lead List.

If new Data Search Lead is generated, Start PREPARATION / EXTRACTION.

When
When was it created, accessed, modified, received, sent, viewed, deleted, and launched? Does it show when relevant events took place? Time Analysis: What else happened on the system at same time? Were registry keys modified?

If item or discovered information can generate new Data Search Leads, document new leads to Data Search Lead List.

If new Data Search Leads generated, Start PREPARATION / EXTRACTION.

If the forensic request is finding information relating credit card fraud, any credit card number, image of credit card, emails discussing making credit card, web cache that shows the date, time and search term used to find credit card number program, Etc are Relevant Data as evidence. In addition, Victim information retrieved is also Relevant Data for purpose of victim notification.

New Data Source Leads

New Source of Data Leads Comments/Notes/Messages This is self explanatory. Use New Source of Data Lead List is a list of data this section as needed. that should be obtained to corroborate or further investigative efforts. Sample Notes: During forensic analysis of Sample New Source of Data Leads: subject John Does hard drive image on credit card Email address: Jdoe@email.com. fraud, a email message Server logs from FTP server. revealed that Jane Doe Subscriber information for an IP address. asks John Doe for payment Transaction logs from server. on credit card printing machine.

How Data NOT relevant to forensic request Stop! Notify appropriate personnel; wait for instruction If item or discovered information can generate New Source of Data, document new lead on New Source of Data Lead List. If New Source of Data Lead generated, Start OBTAINING & IMAGING FORENSIC DATA.
How did it originate on the media? How was it created, transmitted, modified and used? Does it show how relevant events occurred?

Associated Artifacts and Metadata

Registry entries. Application/system logs.

Extract data requested Add Extracted data to Prepared /Extracted Data List.

Yes Is there more Data Search Lead for processing?

Other Connections
Do the above artifacts and metadata suggest links to any other items or events? What other correlating or corroborating information is there about the item? What did the user do with the item?

If item or discovered information can generate New Source of Data, document new lead on New Source of Data Lead List.

If New Source of Data Lead generated, Start OBTAINING & IMAGING FORENSIC DATA.

Consider Advising Requester of initial findings

Analysis Results
Analysis Results Analysis Result List is a list of meaningful data that answers the who, what, when, where and how questions in satisfying the forensic request. Comments/Notes/Messages Use this section as needed Sample Notes: 1. 10.dat, message5.eml and stegano.exe show that John Doe used steganography tool to hides a ten dollar image in 10.dat at 11:03 PM 01/05/ 03 and emailed it to Jane Doe at 11:10 PM 01/05/03.

Identify any other information that is relevant to the forensic request. Use timeline and/or other methods to document findings on Analysis Results List.

Mark Data Search Lead processed on Data Search Lead List.

No Start IDENTIFICATION. Mark item processed on Prepared/Extracted Data List. If there is data for analysis, Start ANALYSIS

Mark Relevant Data item processed on Relevant Data List.

Start FORENSIC REPORTING to Document Findings.

Sample Analysis Results: 1. \Windows\$NtUninstallKB887472$\ 10.dat \data\sentbox.dbx\message5.eml \Special Tools\stegano.exe

Modified and emailed img to ...

Return On Investment

(Determine when to stop this process. Typically, after enough evidence is obtained for prosecution, the value of additional forensic analysis diminishes.)

1/4/03

1/5/03

01000100010011110100101000100000010000110100001101001001010100000101001100100000010011110111011001101001011001010010000001000011011000010111001001110010011011110110110001101100001000000110000101101110011001000010000001010100011010000110111101101101011000010111001100100000010100110110111101101110011001110010000001000100010011110100101000100000010000110100001101001001010100000101001100100000

Department of Justice (DOJ) Computer Crime and intellectual Property Section (CCIPS) Cybercrime Lab http://www.cybercrime.gov (202) 514-1026